Major Security Vulnerability on PrestaShop Websites - CVE-2022-31101

Related tags

Miscellaneous php module free prestashop cve-2022-31101
Overview

Contributors Forks Stargazers Issues MIT License

Fix Major Security Vulnerability on PrestaShop Websites 🚀

CVE-2022-31101 detector and fixer!

A newly found exploit could allow remote attackers to take control of your shop

Read more about the vulnerability here: https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/.

Fix the backdoor

The module will make a security fix that strengthens the MySQL Smarty cache storage against code injection attacks.

Run this module on your shop to close the security issue.

Remove the malware

Many who have been hacked through this vulnerability have found that their payment gateway has been replaced with a fake one. If you are a victim of this attack, the module can probably recover your shop.

Run this module on your shop to recover from the attack.

How does the module work?

The module scans the files of your shop based on a pattern. This pattern is designed to find vulnerabilities and infected files known from the security issue.

The module will solve the problems automatically or tell you how to solve them manually.

(back to top)

Install the module

  1. Download the latest version of the module: https://github.com/MathiasReker/blmvuln/releases/latest

  2. Login into your shop's back office

  3. Go to "Module Manager"

  4. Click on "Upload a Module"

  5. Upload and install the module

(back to top)

Usage

  1. Open the module and click "Run the cleaning process".

  2. After running the cleaning process, you can uninstall the module.

(back to top)

Compatibility

  • PrestaShop 1.6.1+
  • thirty bees 1.0.0+
  • PHP 7.0+

(back to top)

Roadmap

See the open issues for a complete list of proposed features (and known issues).

(back to top)

Contributing

If you have a suggestion to improve this, please fork the repo and create a pull request. You can also open an issue with the tag "enhancement". Finally, don't forget to give the project a star! Thanks again!

(back to top)

License

It is distributed under the MIT License. See LICENSE for more information.

(back to top)

Comments
  • Controller has not been found...

    Controller has not been found...

    Thanks for the module, i have installed it in 1.6.1.17 and after opening the module i got error msg.

    Controller has not been found...

    Error log is clean.

    bug 
    opened by KapriQ 5
  • BLM Vulnerability

    BLM Vulnerability

    Hi,

    I have' just used your BLM Module. All has gone well but there is one file it says maybe infected but when running clean it does not fix it.

    The file is ............. The following files looks infected. They will be restored or removed by running the cleaning process: docker-compose.yml

    Is this something i can fix or need to be worried about ?

    Many thanks in advance.

    cypr00

    enhancement 
    opened by cypr00 5
  • Resolve the vulnerability but keep showing error on filepermissions

    Resolve the vulnerability but keep showing error on filepermissions

    Hi first thanks a lot it seems to have fixed the vulnerability but it keeps showing this message :

    The following filepermissions are insecure. They will be fixed by running the cleaning process:
themes/default/postcss.config.js
[...]

    with a long list of files

    But when I launch the cleaning it keep showing this after it ran.

    What can I do ?

    Thanks

    question 
    opened by chon59 1
  • No

    No "Run the cleaning process" button

    Hello @MathiasReker

    Thank you for this module.

    And after installation, I can't find the "Run the cleaning process" button, so I can't run it.

    question 
    opened by Inovyou06 1
  • Menu icon still present after uninstalling the module

    Menu icon still present after uninstalling the module

    Problem: After uninstalling the module on PrestaShop 1.6, it is still present in the menu.

    Work around: Go to: Administration -> Menus -> remove blmvuln from the list

    bug help wanted good first issue 
    opened by MathiasReker 0
Releases(2.2.1)
Owner
Mathias Reker ⚡️
Full-stack web developer. I love IT Security. I believe in sharing knowledge, tools and value open source software development. (He/Him)
Mathias Reker ⚡️
GitHub
A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran.

Leakfa.com A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran. Service content This produ

Leakfa 100 Nov 20, 2022
A high-performance license server system service for creating and managing products, major versions, and software licenses for the purpose of selling installable software products.

A high-performance license server system service for creating and managing products, major versions, and software licenses for the purpose of selling installable software products. Comes with a SDK and command-line tool. Works anywhere that PHP runs.

CubicleSoft 32 Dec 5, 2022
Log4j RCE - (CVE-2021-44228)

Log4j-RCE Log4j RCE - (CVE-2021-44228) How To Run? php log4j.php https://1337.com Requirements PHP CURL PAYLOAD DNS LOG (Collaborator Burpsuite or use

Fadhli Almunawar 8 Sep 25, 2022
cve-2021-38314 - Unauthenticated Sensitive Information Disclosure

cve-2021-38314 - Unauthenticated Sensitive Information Disclosure The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress regi

Tri Wanda Septian 2 May 15, 2022
Exploiting and fixing security vulnerabilities of an old version of E-Class. Project implemented as part of the class YS13 Cyber-Security.

Open eClass 2.3 Development of XSS, CSRF, SQLi, RFI attacks/defences of an older,vulnerable version of eclass. Project implemented as part of the clas

Aristi_Papastavrou 11 Apr 23, 2022
Upgrade module for PrestaShop

1-Click Upgrade About Upgrade to the latest version of PrestaShop in a few clicks, thanks to this automated method. This module is compatible with all

PrestaShop 84 Dec 29, 2022
A dockerized PHP application containing some file upload vulnerability challenges (scenarios)

File Upload Vulnerability Scenarios (Challenges) This repository is a dockerized PHP application containing some file upload vulnerability challenges

Moein Fatehi 15 Dec 23, 2022
Application with SQL Injection vulnerability and possible privilege escalation

Application with SQL Injection vulnerability and possible privilege escalation. Free vulnerable app for ethical hacking / penetration testing training.

Filip Karczewski 56 Nov 18, 2022
2022 edition of the inRage Theme fully based on Gutenberg with the support of Roots Sage 10

2022 Edition - inRage theme This version of the theme is compatible with the Full site editing of Wordpress 5.8/5.9 and use Sage 10 in order to manage

inRage 5 Jan 3, 2023
Projet Jura2021-2022

CodeIgniter 4 Framework What is CodeIgniter? CodeIgniter is a PHP full-stack web framework that is light, fast, flexible, and secure. More information

null 2 Jan 3, 2022
Mailing Microservice - My solution for Moroccan PHPers's February 2022 Challenge

Mailing Microservice Solution for Moroccan PHPers's February 2022 Challenge by Rabyâ Raghib ([email protected]). It mainly consists of: a php app th

Rabyâ Raghib 1 Aug 11, 2022
A&D challenge for AIS3 EOF CTF 2022 Final.

A&D challenge for AIS3 EOF CTF 2022 Final.

ꌗᖘ꒒ꀤ꓄꒒ꀤꈤꍟ 5 Feb 28, 2022
Queue Management Systems for LPG vendor agencies of Sri Lanka, for the LPG shortages in 2022

gas-queue-mgt Queue Management Systems for LPG vendor agencies of Sri Lanka, for the LPG shortages in 2022 Installation Requirements PHP 7.4 or later

Madhusanka Goonathilake 14 Oct 18, 2022
Trabajo final de la materia Bases de Datos 1. Creación de una base de datos con MySQL y desarrollo de una página web con PHP para manipularla. UNAL sede Medellín, semestre 2022-1.

Trabajo final BD: i-Lunch Materia: Bases de Datos I Profesor: Francisco Javier Moreno Arboleda Institución: Universidad Nacional de Colombia sede Mede

Emmanuel López Rodríguez 2 Jul 9, 2022
Repositorio del código fuente utilizado en la página web Lifo.es durante los años 2017 a 2022

Lifo.es Código fuente del juego de rol online Lifo modificado por mi (Sora) durante los años 2017 a 2022. Este código es una modificación del código b

null 5 Dec 28, 2022
Demo Silverstripe and JavaScript sources for Lightning Talk "FormField Mini Apps" at StripeCon EU 2022

Watch the Lightning Talk on Youtube ?? Demo repository for Lightning Talk "FormField Mini Apps with the JavaScript framework/lib/style of your choice"

Julian Scheuchenzuber 2 Sep 20, 2022
This tool can help you to see the real IP behind CloudFlare protected websites.

CrimeFlare Bypass Hostname Alat untuk melihat IP asli dibalik website yang telah dilindungi CloudFlare. Introduction Alat ini berfungsi untuk melakuka

zidan rahmandani 126 Oct 20, 2021
This project aims to facilitate the management of websites monitored by the blackbox exporter, via a web UI.

This project aims to facilitate the management of websites monitored by the blackbox exporter, via a web UI. The UI would allow to add/remove sites, groups, and even add different fields in the prometheus database.

null 2 Nov 6, 2021
crm_chatbot is an app which allows to create a chat for websites.

CRM Chatbot This app could be installed only in the Midrub CMS version 0.0.8.5+. In older versions it will break anything. DEMO VIDEO: https://youtu.b

null 2 Oct 27, 2022